Commit b3daa04
authored
chore(deps): patch ws and form-data advisories in approuter (#41)
Resolves two open Dependabot alerts:
- #193 form-data <4.0.6 CRLF injection (high) -> form-data 4.0.6
- #194 ws <7.5.11 memory-exhaustion DoS (high) -> ws 7.5.11
How:
- Lockfile in app/router/ was stale at @sap/approuter 21.5.0 even
though PR #37 had already bumped the manifest to ^22.0.1.
Regenerated it; npm resolves to @sap/approuter 22.0.3 (latest),
which pulls axios 1.16.1 -> form-data 4.0.6. Closes #193.
- @sap/approuter 22.0.3 still pins ws: '7.5.10' exactly, so a
lockfile-only fix can't reach 7.5.11. Added an npm 'overrides'
entry to force ws ^7.5.11. Closes #194.
The override is a workaround until SAP bumps the ws pin in a future
@sap/approuter release. ws 7.5.11 is a patch over 7.5.10 (same minor
line), so the risk of regression is low; the approuter module still
loads cleanly with the override applied.
Verified: npm audit in app/router/ reports 0 vulnerabilities;
node -e "require('@sap/approuter')" loads without errors.
Co-authored-by: Thomas Jung <12159356+jung-thomas@users.noreply.github.com>1 parent d88700a commit b3daa04
2 files changed
Lines changed: 27 additions & 23 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3 | 3 | | |
4 | 4 | | |
5 | 5 | | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
6 | 9 | | |
7 | 10 | | |
8 | 11 | | |
| |||
0 commit comments